You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+35-35Lines changed: 35 additions & 35 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,31 +1,31 @@
1
-
# LDAP users and groups sync script for Gitlab-CE and Gitlab-EE
1
+
# LDAP users and groups sync script for GitLab-CE and GitLab-EE
2
2
3
-
This nifty little PHP-CLI tool will synchronise users and user groups from an LDAP server to Gitlab community edition instance(s). This also works on enterprise editions on the free tier, of which has identical functionality to the community edition.
3
+
This nifty little PHP-CLI tool will synchronise users and user groups from an LDAP server to GitLab community edition instance(s). This also works on enterprise editions on the free tier, of which has identical functionality to the community edition.
4
4
5
-
Though this functionality is available out of the box with (non-free) Gitlab enterprise edition the pricing model is completely infeasible for teams of hobbyists working on non-revenue based projects but need to use a centralised authentication base.
5
+
Though this functionality is available out of the box with (non-free) GitLab enterprise edition the pricing model is completely infeasible for teams of hobbyists working on non-revenue based projects but need to use a centralised authentication base.
6
6
7
-
As a bonus it can also do a light rake of LDAP users not currently in Gitlab, so those that haven't signed in for their first time can still have projects and permissions assigned to them. **This may make the tool unsuitable git Gitlab-EE as this would certainly impact its licensing fees!**
7
+
As a bonus it can also do a light rake of LDAP users not currently in GitLab, so those that haven't signed in for their first time can still have projects and permissions assigned to them. **This may make the tool unsuitable git GitLab-EE as this would certainly impact its licensing fees!**
8
8
9
9
## **This tool has had basic community quality assurance.**
10
10
11
11
**Use in production environment at your own risk.**
12
12
13
-
Though all of this tool's features are now implemented, very limited testing has happened, so don't expect a perfect experience. You should therefore only use this on test Gitlab CE/EE instances, or if you must use this on your production environment, at the very least take a backup of your Gitlab data before using this.
13
+
Though all of this tool's features are now implemented, very limited testing has happened, so don't expect a perfect experience. You should therefore only use this on test GitLab CE/EE instances, or if you must use this on your production environment, at the very least take a backup of your GitLab data before using this.
14
14
15
15
Features implemented:
16
16
17
17
* Reading users from LDAP
18
18
* Reading groups from LDAP
19
-
* Synchronising users to Gitlab
20
-
* Synchronising groups to Gitlab
21
-
* Synchronising Gitlab group memberships based on LDAP group memberships
19
+
* Synchronising users to GitLab
20
+
* Synchronising groups to GitLab
21
+
* Synchronising GitLab group memberships based on LDAP group memberships
22
22
23
23
Not implemented:
24
24
25
25
* Sub-group handling
26
-
*~~SSH key importing *(in progress)*~~: No longer required: Gitlab has a [native configuration option](https://docs.gitlab.com/ee/administration/auth/ldap/#ldap-sync-configuration-settings) "sync_ssh_keys" to specify a user attribute to synchronise keys from.
26
+
*~~SSH key importing *(in progress)*~~: No longer required: GitLab has a [native configuration option](https://docs.gitlab.com/ee/administration/auth/ldap/#ldap-sync-configuration-settings) "sync_ssh_keys" to specify a user attribute to synchronise keys from.
27
27
28
-
If in doubt use the dry run `-d` option to prevent writing to Gitlab first, combined with `-vv` to see exactly what would happen.
28
+
If in doubt use the dry run `-d` option to prevent writing to GitLab first, combined with `-vv` to see exactly what would happen.
29
29
30
30
**You have been warned!**
31
31
@@ -38,15 +38,15 @@ These instructions will get you a copy of the project up and running on your loc
38
38
Requirements for running this tool from a management station:
39
39
40
40
* Any system that can run PHP-CLI will do. (Even Windows.)
41
-
*[PHP](https://www.php.net) version 8.1 or later: Available to most Linux distributions via `apt-get` or `yum`/`dnf`. You don't need anything web related, but you will need the command line interface.
41
+
*[PHP](https://www.php.net) version 8.2 or later: Available to most Linux distributions via `apt-get` or `yum`/`dnf`. You don't need anything web related, but you will need the command line interface.
42
42
*[PHP's LDAP functions](http://php.net/manual/en/book.ldap.php): Usually installed with PHP as standard, but the LDAP module/functions may not be enabled by default.
43
43
*[Composer](https://getcomposer.org/): Available to most Linux distributions via `apt-get` or `yum`/`dnf`, or manually download it as `composer.phar` alongside this tool.
44
-
* LDAP instance: Used for Gitlab's authentication. It can (likely) be Microsoft Active Directory, OpenLDAP, 389-DS (including FreeIPA), and any other LDAP system, though **most of my testing is with 389-DS (without FreeIPA)**.
45
-
*[Gitlab community edition](https://about.gitlab.com/install/?version=ce) or [Gitlab community edition](https://about.gitlab.com/install/?version=ee) self-hosted: This must be configured to authenticate against an LDAP instance already.
44
+
* LDAP instance: Used for GitLab's authentication. It can (likely) be Microsoft Active Directory, OpenLDAP, 389-DS (including FreeIPA), and any other LDAP system, though **most of my testing is with 389-DS (without FreeIPA)**.
45
+
*[GitLab community edition](https://about.gitlab.com/install/?version=ce) or [GitLab community edition](https://about.gitlab.com/install/?version=ee) self-hosted: This must be configured to authenticate against an LDAP instance already.
46
46
47
47
## Installing
48
48
49
-
Either checkout this project or download it in ZIP form and extract it somewhere safe. The configuration will later contain an LDAP password and Gitlab API secret keys, so do put some protection in place to ensure only you can access it.
49
+
Either checkout this project or download it in ZIP form and extract it somewhere safe. The configuration will later contain an LDAP password and GitLab API secret keys, so do put some protection in place to ensure only you can access it.
50
50
51
51
After this you will need to install PHP components delivered via [Composer](https://getcomposer.org/). To do this open a terminal and change the working directory to this tool's location. (Or add the `-d`/`--working-dir=` option to run from another working directory.)
Specify the attribute used to uniquely identify a user by their user name. Their values must be a simple name of which the user would typically type to login to Gitlab or any other application interfacing with the same directory.
157
+
Specify the attribute used to uniquely identify a user by their user name. Their values must be a simple name of which the user would typically type to login to GitLab or any other application interfacing with the same directory.
158
158
159
159
Default: "uid"
160
160
161
161
##### userMatchAttribute *(string|null)*
162
162
163
163
By default, it is assumed that the **userUniqueAttribute** is a user name that can be used to unambiguously determine group membership of individual persons as well as being used for login credentials. If this is the case with your LDAP structure, set **userMatchAttribute** to be empty.
164
164
165
-
If that is not the case, **userMatchAttribute** can be used to separate these two functions. Specify **userMatchAttribute** to the feature of your user that determines his membership in a group and **userUniqueAttribute** to the user name attribute used for Gitlab login credentials. For instance, in some Microsoft Active Directory versions, groups possess a "member" attribute that lists the "distinguishedName" attributes of each member of the group. The user name however is a different attribute of each user being attributed to that group. In this case, set **userMatchAttribute** to "distinguishedName" and **userUniqueAttribute** to your user name attribute.
165
+
If that is not the case, **userMatchAttribute** can be used to separate these two functions. Specify **userMatchAttribute** to the feature of your user that determines his membership in a group and **userUniqueAttribute** to the user name attribute used for GitLab login credentials. For instance, in some Microsoft Active Directory versions, groups possess a "member" attribute that lists the "distinguishedName" attributes of each member of the group. The user name however is a different attribute of each user being attributed to that group. In this case, set **userMatchAttribute** to "distinguishedName" and **userUniqueAttribute** to your user name attribute.
166
166
167
167
This attribute only makes sense if **groupMemberAttribute** is "memberUid".
168
168
@@ -220,7 +220,7 @@ Default: "memberUid"
220
220
221
221
### gitlab
222
222
223
-
This section configures how to communicate with your Gitlab-CE/EE instance.
223
+
This section configures how to communicate with your GitLab-CE/EE instance.
224
224
225
225
#### options
226
226
@@ -242,7 +242,7 @@ userNamesToIgnore:
242
242
- "Guest"
243
243
```
244
244
245
-
User name "root" will always be ignored because this is the built-in Gitlab root user. This tool will not attempt to create/delete/sync this user name.
245
+
User name "root" will always be ignored because this is the built-in GitLab root user. This tool will not attempt to create/delete/sync this user name.
246
246
247
247
Default: *null*
248
248
@@ -264,25 +264,25 @@ groupNamesToIgnore:
264
264
- "Marketing Staff"
265
265
```
266
266
267
-
Group names "Root" and "Users" will always be ignored because they are built-in Gitlab groups. This will will not attempt to create/delete/sync these group names.
267
+
Group names "Root" and "Users" will always be ignored because they are built-in GitLab groups. This will will not attempt to create/delete/sync these group names.
268
268
269
269
Default: *null*
270
270
271
271
##### createEmptyGroups *(bool|null)*
272
272
273
-
Specify whether groups containing no LDAP users should still be created in Gitlab.
273
+
Specify whether groups containing no LDAP users should still be created in GitLab.
274
274
275
-
You should enable this if you want to specify permissions for groups in advance so they'll be ready when the first user is added to that group. If your directory has a lot of empty groups enabling this would only replicate the clutter to Gitlab, so should be used with care for large directories.
275
+
You should enable this if you want to specify permissions for groups in advance so they'll be ready when the first user is added to that group. If your directory has a lot of empty groups enabling this would only replicate the clutter to GitLab, so should be used with care for large directories.
276
276
277
277
Default: *false*
278
278
279
279
##### deleteExtraGroups *(bool|null)*
280
280
281
-
Specify whether Gitlab groups not found in LDAP should be deleted.
281
+
Specify whether GitLab groups not found in LDAP should be deleted.
282
282
283
-
You should only enable this if you don't like empty groups being left over in Gitlab after doing a purge in your directory. Consider if such groups still contain projects you need to keep. (This scenario remains untested!)
283
+
You should only enable this if you don't like empty groups being left over in GitLab after doing a purge in your directory. Consider if such groups still contain projects you need to keep. (This scenario remains untested!)
284
284
285
-
Only empty Gitlab groups will ever be deleted. If there are extra groups with members still in them they will not be deleted.
285
+
Only empty GitLab groups will ever be deleted. If there are extra groups with members still in them they will not be deleted.
286
286
287
287
Default: *false*
288
288
@@ -296,15 +296,15 @@ The access level to provide users when added to groups.
296
296
* 40: Maintainer
297
297
* 50: Owner
298
298
299
-
This will not interfere with existing group members, so you can adjust user permissions in Gitlab later on.
299
+
This will not interfere with existing group members, so you can adjust user permissions in GitLab later on.
300
300
301
301
Default: 30
302
302
303
303
##### groupNamesOfAdministrators *(array|null)*
304
304
305
305
Specify a list of group names of which members should be granted administrator access.
306
306
307
-
This varies not only according to which directory software you're using, but also how your directory has been structured. Users that have directory administrator access may not necessarily have Gitlab administrator access too, so this one is up to you.
307
+
This varies not only according to which directory software you're using, but also how your directory has been structured. Users that have directory administrator access may not necessarily have GitLab administrator access too, so this one is up to you.
308
308
309
309
* For Microsoft Active Directory this is could be "Domain Admins" and "Enterprise Admins".
310
310
* OpenLDAP and 389-DS do not ship with such a group out of the box as they typically offer a "Directory Administrator" non-user object or similar for administrative purposes via bind DN.
@@ -340,23 +340,23 @@ Default: *null*
340
340
341
341
#### instances *(array)*
342
342
343
-
Declare one or more Gitlab instances to sync with. Each array key represents the instance name, which can be used later on to only sync with a particular instance (out of multiple) when running this tool.
343
+
Declare one or more GitLab instances to sync with. Each array key represents the instance name, which can be used later on to only sync with a particular instance (out of multiple) when running this tool.
344
344
345
345
##### your-instance-name-here *(array)*
346
346
347
-
Make up an instance name. For example if you had multiple Gitlab installations on servers named "Athena" and "Demeter" it would be sensible to tag them as "athena" and "demeter" in your configuration. All sub-sections of this configuration will be repeated for each instance.
347
+
Make up an instance name. For example if you had multiple GitLab installations on servers named "Athena" and "Demeter" it would be sensible to tag them as "athena" and "demeter" in your configuration. All sub-sections of this configuration will be repeated for each instance.
348
348
349
349
###### url *(string)*
350
350
351
-
Specify the full HTTP/HTTPS URL to this Gitlab instance, e.g. "https://athena.gitlab.example.com" or "https://demeter.gitlab.example.com". This is the same URL you use to really visit this Gitlab installation from your web browser.
351
+
Specify the full HTTP/HTTPS URL to this GitLab instance, e.g. "<https://athena.gitlab.example.com>" or "<https://demeter.gitlab.example.com>". This is the same URL you use to really visit this GitLab installation from your web browser.
352
352
353
353
###### token *(string)*
354
354
355
-
Specify an API token (usually a personal token or impersonation token) this tool can use to interface with the Gitlab instance's API. This token will need to have the "api" and "sudo" flags available.
355
+
Specify an API token (usually a personal token or impersonation token) this tool can use to interface with the GitLab instance's API. This token will need to have the "api" and "sudo" flags available.
356
356
357
357
###### ldapServerName *(string)*
358
358
359
-
Specify the LDAP server name used by this Gitlab instance. You can find this in the "ldap_servers" section of the "gitlab.rb" configuration file, which represents an array of data specifying how to interface with LDAP such as server host address, bind DN, encryption, base, etc.
359
+
Specify the LDAP server name used by this GitLab instance. You can find this in the "ldap_servers" section of the "gitlab.rb" configuration file, which represents an array of data specifying how to interface with LDAP such as server host address, bind DN, encryption, base, etc.
360
360
361
361
**You may need to put "ldap" before this value!** This hasn't been tested across different installation types, but using the Omnibus package it appears if your "gitlab.rb" has the following...
362
362
@@ -380,7 +380,7 @@ php bin/console ldap:sync -d
380
380
381
381
Depending on your system's PHP installation you may need to use `php-cli` instead of `php`. (This typically only occurs on WHM/cPanel based servers configured to host PHP via the fast process manager, PHP-FPM.)
382
382
383
-
**The `-d` option is important for your first run.** This enables "dry run" mode, meaning no changes will be persisted to your Gitlab instances. After running this tool you should evaluate the changes that will be made based on the output, then run it again without the `-d` option to persist the changes.
383
+
**The `-d` option is important for your first run.** This enables "dry run" mode, meaning no changes will be persisted to your GitLab instances. After running this tool you should evaluate the changes that will be made based on the output, then run it again without the `-d` option to persist the changes.
384
384
385
385
If you'd like to see more verbose output you can add up to 3 `-v` switches, for example:
386
386
@@ -390,7 +390,7 @@ php bin/console ldap:sync -vv
390
390
php bin/console ldap:sync -vvv
391
391
```
392
392
393
-
If you'd like to only sync with a single Gitlab instance you can specify the name of it as per your configuration as an argument, for example:
393
+
If you'd like to only sync with a single GitLab instance you can specify the name of it as per your configuration as an argument, for example:
394
394
395
395
```console
396
396
php bin/console ldap:sync athena
@@ -410,10 +410,10 @@ PHP source code must comply with [PHP-FIG PSRs](https://www.php-fig.org/psr/) 1,
410
410
411
411
### Potential features
412
412
413
-
* Specifying an attribute on the LDAP user in which this script could write back a user ID for each Gitlab instance.
413
+
* Specifying an attribute on the LDAP user in which this script could write back a user ID for each GitLab instance.
414
414
* This would mean user name (UID) changes in LDAP could be detected and synchronised automatically without user duplication happening.
415
415
* It would likely be a string attribute in the form of `instanceName:userId`, for example `athena:3` and `demeter:15`.
416
-
* It could either be a multi-value attribute to handle multiple Gitlab instances, or a single-value attribute split by a semi-colon, for example `athena:3;demeter:15`.
416
+
* It could either be a multi-value attribute to handle multiple GitLab instances, or a single-value attribute split by a semi-colon, for example `athena:3;demeter:15`.
417
417
* Likely the same as the above but for groups too. (Group renaming.)
0 commit comments